This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
Service started?
On 04/12/12 11:52, Terry Polzin wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
Service started?
Yes. I forgot to mention in my post that I can mount my NAS device via nfs. So some parts of nfs are alive.
Sorry for the oversight. Don
On 12/04/12 20:00, don fisher wrote:
On 04/12/12 11:52, Terry Polzin wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
Service started?
Yes. I forgot to mention in my post that I can mount my NAS device via nfs. So some parts of nfs are alive.
Sorry for the oversight. Don
is netfs started, chkconfig --list netfs
On 04/12/12 12:04, Frank Murphy wrote:
On 12/04/12 20:00, don fisher wrote:
On 04/12/12 11:52, Terry Polzin wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
Service started?
Yes. I forgot to mention in my post that I can mount my NAS device via nfs. So some parts of nfs are alive.
Sorry for the oversight. Don
is netfs started, chkconfig --list netfs
It looks like it is, but I am not sure. Output from chkconfig is: Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration.
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
On Thu, 2012-04-12 at 12:10 -0700, don fisher wrote:
On 04/12/12 12:04, Frank Murphy wrote:
On 12/04/12 20:00, don fisher wrote:
On 04/12/12 11:52, Terry Polzin wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
Service started?
Yes. I forgot to mention in my post that I can mount my NAS device via nfs. So some parts of nfs are alive.
Sorry for the oversight. Don
is netfs started, chkconfig --list netfs
It looks like it is, but I am not sure. Output from chkconfig is: Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration.
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Try "systemctl status netfs.service", o/p should be similar to my f16 machine below.
systemctl status netfs.service netfs.service - LSB: Mount and unmount network filesystems. Loaded: loaded (/etc/rc.d/init.d/netfs) Active: active (exited) since Thu, 12 Apr 2012 08:05:02 -0400; 7h ago Process: 1053 ExecStart=/etc/rc.d/init.d/netfs start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/netfs.service
On 04/12/2012 11:33 AM, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
I have a few questions for you. They'll probably seem obvious, but I'm trying to eliminate any possibility of misunderstanding or human error here. I'm going to phrase them in the form of statements of what I presume is happening, so please let me know if any of them aren't correct.
1) You can ssh to julie even when NFS is failing for you. 2) You are referring to the server in exactly the same way both for NFS and ssh. 3) You have not made any changes to your NFS configuration or to /etc/fstab.
I don't know enough about NFS to suggest what's going on if all three of those statements are correct, but if they're not, it might tell you just where to look. Good luck!
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Sounds like a firewall problem. "julie" may be allowing ssh but not allowing NFS. Check the output of "iptables -L -v" on julie. There are probably rules that allow TCP port 22 and drop everything not explicitly allowed by default.
NFS is a very hard protocol to write firewall rules for because it uses ports that vary. I generally don't use NFS in an environment where I need to have the firewall turned on.
Easy test: on julie, run "systemctl stop iptables.service" and then see if you can NFS-mount files from it. (Don't forget to run "systemctl start iptables.service" afterwards when you are done to make sure you don't leave julie vulnerable, until you determine if the environment is safe to run without a firewall).
--Greg
On 04/12/12 12:20, Terry Polzin wrote:
On Thu, 2012-04-12 at 12:10 -0700, don fisher wrote:
On 04/12/12 12:04, Frank Murphy wrote:
On 12/04/12 20:00, don fisher wrote:
On 04/12/12 11:52, Terry Polzin wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Thanks don
Service started?
Yes. I forgot to mention in my post that I can mount my NAS device via nfs. So some parts of nfs are alive.
Sorry for the oversight. Don
is netfs started, chkconfig --list netfs
It looks like it is, but I am not sure. Output from chkconfig is: Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration.
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Try "systemctl status netfs.service", o/p should be similar to my f16 machine below.
systemctl status netfs.service netfs.service - LSB: Mount and unmount network filesystems. Loaded: loaded (/etc/rc.d/init.d/netfs) Active: active (exited) since Thu, 12 Apr 2012 08:05:02 -0400; 7h ago Process: 1053 ExecStart=/etc/rc.d/init.d/netfs start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/netfs.service
Mine is the same, as far as I can tell.
systemctl status netfs.service netfs.service - LSB: Mount and unmount network filesystems. Loaded: loaded (/etc/rc.d/init.d/netfs) Active: active (exited) since Wed, 11 Apr 2012 18:03:25 -0700; 19h ago Process: 1003 ExecStart=/etc/rc.d/init.d/netfs start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/netfs.service Don
On 04/12/12 13:21, Greg Woods wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Sounds like a firewall problem. "julie" may be allowing ssh but not allowing NFS. Check the output of "iptables -L -v" on julie. There are probably rules that allow TCP port 22 and drop everything not explicitly allowed by default.
NFS is a very hard protocol to write firewall rules for because it uses ports that vary. I generally don't use NFS in an environment where I need to have the firewall turned on.
Easy test: on julie, run "systemctl stop iptables.service" and then see if you can NFS-mount files from it. (Don't forget to run "systemctl start iptables.service" afterwards when you are done to make sure you don't leave julie vulnerable, until you determine if the environment is safe to run without a firewall).
--Greg
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
The output from iptables -L -v is: sudo iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7 460 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ipp 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 368 bytes) pkts bytes target prot opt in out source destination
On 04/13/2012 04:37 AM, don fisher wrote:
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
Are you using NFSv3 or NFSv4?
FWIW, I use NFSv4 these days since one has to do a bit of work, exactly what I've forgotten, to configure NFSv3 to work with static ports making the firewall easy to configure.
On 04/12/12 13:45, Ed Greshko wrote:
On 04/13/2012 04:37 AM, don fisher wrote:
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
Are you using NFSv3 or NFSv4?
FWIW, I use NFSv4 these days since one has to do a bit of work, exactly what I've forgotten, to configure NFSv3 to work with static ports making the firewall easy to configure.
NFSv4. I understand that the advantages of tcp over udp are significant.
Thanks Don
On 04/12/2012 01:37 PM, don fisher wrote:
On 04/12/12 13:21, Greg Woods wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Sounds like a firewall problem. "julie" may be allowing ssh but not allowing NFS. Check the output of "iptables -L -v" on julie. There are probably rules that allow TCP port 22 and drop everything not explicitly allowed by default.
NFS is a very hard protocol to write firewall rules for because it uses ports that vary. I generally don't use NFS in an environment where I need to have the firewall turned on.
Easy test: on julie, run "systemctl stop iptables.service" and then see if you can NFS-mount files from it. (Don't forget to run "systemctl start iptables.service" afterwards when you are done to make sure you don't leave julie vulnerable, until you determine if the environment is safe to run without a firewall).
--Greg
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
The output from iptables -L -v is: sudo iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7 460 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ipp 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 368 bytes) pkts bytes target prot opt in out source destination
NFS uses a lot of ports via portmapper (portmap, rpc.statd, rpc.mountd), not just nfsd. You need to get julie to accept connections to those ports. The problem is that the ports vary from startup to startup (which is why portmapper is used).
You can lock which ports each service uses by editing the /etc/sysconfig/nfs file and adjusting the values there. Once that's done, make sure julie has those ports allowed in its firewall and restart the nfs server.
Alternately, if this is a private network, you could put in a firewall rule that allows all incoming connections on that private network. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Memory is the second thing to go, but I can't remember the first! - ----------------------------------------------------------------------
On 04/12/12 13:58, Rick Stevens wrote:
On 04/12/2012 01:37 PM, don fisher wrote:
On 04/12/12 13:21, Greg Woods wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Sounds like a firewall problem. "julie" may be allowing ssh but not allowing NFS. Check the output of "iptables -L -v" on julie. There are probably rules that allow TCP port 22 and drop everything not explicitly allowed by default.
NFS is a very hard protocol to write firewall rules for because it uses ports that vary. I generally don't use NFS in an environment where I need to have the firewall turned on.
Easy test: on julie, run "systemctl stop iptables.service" and then see if you can NFS-mount files from it. (Don't forget to run "systemctl start iptables.service" afterwards when you are done to make sure you don't leave julie vulnerable, until you determine if the environment is safe to run without a firewall).
--Greg
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
The output from iptables -L -v is: sudo iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7 460 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ipp 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 368 bytes) pkts bytes target prot opt in out source destination
NFS uses a lot of ports via portmapper (portmap, rpc.statd, rpc.mountd), not just nfsd. You need to get julie to accept connections to those ports. The problem is that the ports vary from startup to startup (which is why portmapper is used).
You can lock which ports each service uses by editing the /etc/sysconfig/nfs file and adjusting the values there. Once that's done, make sure julie has those ports allowed in its firewall and restart the nfs server.
Alternately, if this is a private network, you could put in a firewall rule that allows all incoming connections on that private network.
How is the system as distributed supposed of handle these mappings? It appears that every time I fix something in my configuration the next set of updates breaks it. And I loose track of the many fixes I have to install. Shouldn't HFSv4 work out of the box?
Don
On 04/12/12 13:58, Rick Stevens wrote:
On 04/12/2012 01:37 PM, don fisher wrote:
On 04/12/12 13:21, Greg Woods wrote:
On Thu, 2012-04-12 at 11:33 -0700, don fisher wrote:
This one keeps coming back on F16:-( I can ssh to and from the host, so part of the system knows it is there. I exported the file systems on julie again to make sure that was set up. What can "No route to host" mean?
Sounds like a firewall problem. "julie" may be allowing ssh but not allowing NFS. Check the output of "iptables -L -v" on julie. There are probably rules that allow TCP port 22 and drop everything not explicitly allowed by default.
NFS is a very hard protocol to write firewall rules for because it uses ports that vary. I generally don't use NFS in an environment where I need to have the firewall turned on.
Easy test: on julie, run "systemctl stop iptables.service" and then see if you can NFS-mount files from it. (Don't forget to run "systemctl start iptables.service" afterwards when you are done to make sure you don't leave julie vulnerable, until you determine if the environment is safe to run without a firewall).
--Greg
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
The output from iptables -L -v is: sudo iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7 460 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ipp 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:ipp 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 368 bytes) pkts bytes target prot opt in out source destination
NFS uses a lot of ports via portmapper (portmap, rpc.statd, rpc.mountd), not just nfsd. You need to get julie to accept connections to those ports. The problem is that the ports vary from startup to startup (which is why portmapper is used).
You can lock which ports each service uses by editing the /etc/sysconfig/nfs file and adjusting the values there. Once that's done, make sure julie has those ports allowed in its firewall and restart the nfs server.
Alternately, if this is a private network, you could put in a firewall rule that allows all incoming connections on that private network.
In the old days, there were files /etc/hosts.allow and /etc/hosts.deny. As I recall, they had something to do with tcpd. Do they serve any purpose with ipchains?
Thanks, don
Around 09:37pm on Thursday, April 12, 2012 (UK time), don fisher scrawled:
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
These instructions explain how to open the firewall.
http://www.stevesearle.com/tech/faq.html#nfs0010
Steve
On 04/12/2012 02:32 PM, don fisher wrote: <snip>
In the old days, there were files /etc/hosts.allow and /etc/hosts.deny. As I recall, they had something to do with tcpd. Do they serve any purpose with ipchains?
No, /etc/hosts.[allow|deny] are part of the tcpwrapper system and thus are in userspace (at the application level). Applications must be compiled and linked with tcpwrappers for it to work. In other words, it's "voluntary".
iptables is a kernel-level firewall. Packets have to get through iptables before they're even "passed up the food chain" to be seen by the tcpwrapper stuff. If iptables is active, then all network I/O goes through iptables regardless of what an individual application wants. If iptables denies a packet, then the upper level stuff won't even see the packet in the first place. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - "People tell me I look at the dark side. That's not true. I have - - the heart of a small boy......in a jar right here on my desk." - - -- Stephen King - ----------------------------------------------------------------------
On 04/13/2012 04:57 AM, don fisher wrote:
On 04/12/12 13:45, Ed Greshko wrote:
On 04/13/2012 04:37 AM, don fisher wrote:
When I disabled iptables.service on julie I was able to mount it. I I run system-config-firewall, nfs is enabled. What else do I need to enable?
Are you using NFSv3 or NFSv4?
FWIW, I use NFSv4 these days since one has to do a bit of work, exactly what I've forgotten, to configure NFSv3 to work with static ports making the firewall easy to configure.
NFSv4. I understand that the advantages of tcp over udp are significant.
Of course it isn't a question of understanding. I still use NFSv3 in some cases where the client is unable to utilize NFSv4.
Here are my iptables rules on one of my systems....which uses only NFSv4.
[root@f16-1 sysconfig]# cat iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
As you can see, I only port 2049 is needed for NFSv4 to work...